Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

O1 HJT Redirects I can't get rid of


  • This topic is locked This topic is locked
10 replies to this topic

#1 bludshot

bludshot

  • Members
  • 657 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 02 March 2012 - 04:00 AM

Ok, my Windows 7 computer was randomly redirecting me, like I would be clicking on links in youtube and it would go to some other site. So I ran HJT and it has the following entries:

O1 - Hosts: ::1 localhost
O1 - Hosts: 67.215.245.19 www.google-analytics.com.
O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
O1 - Hosts: 67.215.245.19 www.statcounter.com.
O1 - Hosts: 108.163.215.51 www.google-analytics.com.
O1 - Hosts: 108.163.215.51 ad-emea.doubleclick.net.
O1 - Hosts: 108.163.215.51 www.statcounter.com.

When I loaded HJT it gave an error about not being able to access the hosts file. I went to drivers/etc and the hosts file was not there. I had to use the command line to do some tricky things (gain ownership of the file, and remove the S and H attributes) so that I could see and open the file. All that's in the file is:

127.0.0.1 localhost
::1 localhost


The ::1 localhost looks weird to me, is that ok?

Anyhow, then I scanned with HJT, found those O1 entries above, and fixed them. And rebooted. Then I scanned with HJT and those entries were back!

Where are they coming from if not the hosts file?

And are they bad or just normal? They seem odd!

Thanks!

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:08 PM

Posted 03 March 2012 - 10:16 AM

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds file to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 bludshot

bludshot
  • Topic Starter

  • Members
  • 657 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 04 March 2012 - 04:08 AM

DDS.txt and Attach.txt attached

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:08 PM

Posted 04 March 2012 - 05:53 AM

Hi,

Vuze
Vuze Remote Toolbar


Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 bludshot

bludshot
  • Topic Starter

  • Members
  • 657 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 05 March 2012 - 12:32 AM

I will uninstall Vuze and Vuze Remote Toolbar.

And I'll run combofix and post those logs.

By the way, are those O1 entries normal or bad??

Edited by bludshot, 05 March 2012 - 12:41 AM.


#6 bludshot

bludshot
  • Topic Starter

  • Members
  • 657 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 05 March 2012 - 02:01 AM

Here are the logs (attached)

Attached Files



#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:08 PM

Posted 05 March 2012 - 10:23 AM

Hi,

Yes, those O1 entries (except the very first one) were bad.

* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish and then copy-paste results back here (if anything found). Any symptoms left?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 bludshot

bludshot
  • Topic Starter

  • Members
  • 657 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 05 March 2012 - 04:38 PM

ESET only found one threat. It's on an old secondary hard drive and it appears to be a file that SpyBot quarantined:

H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvchost1.zip Win32/Bagle.gen.zip worm

I assume this file is safe to delete?

So far since running ComboFix, I haven't experienced any more browser redirecting.

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:08 PM

Posted 06 March 2012 - 03:35 AM

Hi,

Yes, it's safe to delete that file.


If no other issues left let's see the final steps then :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates (it will actually open Windows Update window).


Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade B)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 bludshot

bludshot
  • Topic Starter

  • Members
  • 657 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 06 March 2012 - 11:54 PM

Cleared the restore points and uninstalled ComboFix successfully. Also downloaded and ran Secunia PSI.

Everything seems to be working perfectly. Thank you so much for your help!

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:08 PM

Posted 07 March 2012 - 01:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users